using international standards to improve asia-pacific cyber security
TRANSCRIPT
Using international standards to
improve Asia-Pacific cyber security
Tuesday, 24 March, 2015
Alan Calder
IT Governance Ltd
www.itgovernance.asia
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING AND WILL
AUTOMATICALLY BE UNMUTED FOR THE START OF THE Q&A SESSION
Introduction
About Alan Calder…
• Acknowledged international cyber security
expert
• Leading author on information security
and IT governance issues
• Led the world’s first successful
implementation of ISO 27001
(then called BS 7799)
• Consultant on cyber security and IT
governance strategies globally, including
across the Asia-Pacific region
2
© IT Governance Ltd 2015
Agenda
• The cyber threat – Breaking down recent high-profile
data breaches
• Current legislation – Learn about the current data
protection laws in Hong Kong, Australia, Singapore and
the Philippines
• International standard – Discover how the cyber
security standard, ISO 27001, will help get your business
cyber secure
3
© IT Governance Ltd 2015
The current cyber threat
1 billiondata records compromised
globally in 2014
5
© IT Governance Ltd 2015
1,500data breaches globally in 2014
$2.8 million is the average cost of a data
breach in Australia
70% believe cyber attacks are
among the three biggest
threats facing organisations
The current cyber threat
• 61% of APAC organisations
expect a cyber attack to strike
their organisation in 2015, but
only 43% are prepared
• 76% of APAC organisations
have detected security
incidents in the past 12 months
• 63% of APAC organisations will
increase their security budget
over the next 12 months
6
© IT Governance Ltd 2015
The changing threat landscape
• 87% of iPhone and 97% of Android
top 100 apps have been hacked
• 100% of companies experience virus
attacks, and 97% have suffered
malware attacks
• 156 million phishing emails are sent
every day
• 15 million make it through spam filters
• The average cost for each stolen
record in Australia is $145
7
© IT Governance Ltd 2015
Why did they fail to avoid a
breach?
8
© IT Governance Ltd 2015
Root cause of data
breaches
The changing threat landscape
Source: Ponemon Institute – Year of the Mega
Breach 2014
Case study – Philippine
government
• Government websites compromised
multiple times by hacktivists
– Nov 2013 - Philippine hacker group linked
to Anonymous hacked numerous
government websites, calling on the
public to support a protest
– Nov 2014 – Philippine branch of
Anonymous hacked 11+ government
websites to express dissatisfaction: “Your
governments have failed you, they sit
atop their thrones and abuse their power”
– Feb 2015 – Website compromised by
anti-ISIS hacker, posting expletive-ridden
message
9
© IT Governance Ltd 2015
Case study – Philippine
government
• No formal statement from the
government about the hacks, how
they happened or what they are
doing about it, but it is clear that:
– Government is unprepared for a
cyber attack and failing to put
effective measures in place
– Little or no contingency plans
– Websites restored but government’s
lack of security exposed
– Effective way for hacktivists to voice
opinions
10
© IT Governance Ltd 2015
Case study – Lizard Squad and
their infamous DNS attacksHacking group Lizard Squad appears to have attacked a number of
websites:
Lizard Squad attacks Malaysia Airlines website, January 2015
• Visitors to www.malaysiaairlines.com on Monday 26 January
found the message “404 – Plane Not Found”
• Appeared to be DNS attack, overriding settings and redirecting
site visitors to a Lizard Squad-controlled page
• Fully recovered within 22 hours
Google Vietnam hacked by Lizard Squad, February 2015
• Google.com.vn, the search giant’s Vietnamese site, appeared
to have suffered a DNS attack by Lizard Squad
• Site visitors instead found a photo of a man taking a selfie with
an iPhone instead of the normal search engine
Lenovo attacked after Superfish controversy, February 2015
• Lizard Squad attacked Lenovo’s website with a DNS attack,
redirecting users to a free CloudFlare account
Last year, the hacking group claimed responsibility for attacks on
Sony’s PlayStation Network and Microsoft’s Xbox Live network,
among others.
11
Case study – Lizard Squad
DNS attacks
What are DNS attacks?
• Domain Name System (DNS)
• DNS hijacking works by overriding TCP/IP settings
and redirecting site visitors rather than by
assuming control of the actual target site
• DNS hijacking rarely affects customer information,
instead causing disruption to affected sites by
gaining control over their domain names
Effects
• Websites restored but lack of security/vulnerability
exploited
• Effective way for hackers to voice opinions
12
© IT Governance Ltd 2015
International case study –
Sony Pictures
Data breach
• November 2014
• Hackers infiltrated Sony’s corporate computer
network
• Torrents of unreleased Sony Pictures films
appeared online
• Personal information about employees (families,
emails, salaries, etc.) was leaked
• Plaintext passwords leaked online, along with
other credential data
• Huge amount of marketing slide decks were
leaked
• Kept Sony staff from using computers for days
• Sony postponed release of upcoming film The
Interview
13
© IT Governance Ltd 2015
International case study –
Sony Pictures
Repercussions
• North Korea blamed, increasing tension with the US
• Ex-employees sought to combine class action lawsuits
against Sony
• Costs reach $100million
How did the breach get so bad?
• Executives ignored ransom emails, treated as spam
• Failed to acknowledge breach until one week later
• Generally lax approach to online security
– April 2011 – Sony’s PlayStation network hacked
and 76 million gamers’ accounts compromised
– Inappropriate spending? $250million budget still
couldn’t keep them cyber secure
14
© IT Governance Ltd 2015
Small companies are at risk too
• Cyber criminals target indiscriminately
• 60% of breached small organisations close
down within six months
• Often lack effective internal security practices
• No dedicated IT security and support
• Passwords, system access easily compromised
• Out-of-date server hardware and software
• Websites are built on common, open-source
frameworks – weaknesses easily exploited
15
© IT Governance Ltd 2015
What is the board told?
• 32.5% of boards do not
receive any information
about their cyber security
posture and activities
• 38% of the remainder
receive reports only
annually
• 29% of IT teams don’t
report breaches for fear of
retribution
16
© IT Governance Ltd 2015
Source: IT Governance ‘Boardroom Cyber Watch Survey 2014’
Cyber security skills shortage
Shortage
• Global shortage of two million cyber
security professionals by 2017
ISACA report
• 85% believe there is a shortage
• 53% consider it difficult to identify
adequate cyber security skills
• 50% plan to increase staff training
Companies should be looking for
• Industry-recognised qualifications
(IBITGQ)
17
© IT Governance Ltd 2015
Australia
Cyber Security Strategy 2009
• Framework to address the increasing risk of online threats to the country
• Aims to have businesses operate secure and resilient information and
communications technologies, thereby protecting the integrity of their own
operations and the identity and privacy of their customers
• Criticism – significantly out of date. Prime Minister Tony Abbott is
currently pushing for cyber security review
19
© IT Governance Ltd 2015
Hong Kong
Personal Data (Privacy) Ordinance (PDPO)
• Govern data subjects’ personal data
• Six principles for data processors to abide by
– DPP4 – practicable steps shall be taken to ensure that personal data are
protected against unauthorised or accidental access, processing or
erasure
• Max. penalty of five years’ imprisonment and up to HKD$1,000,000
• Data users are liable for any breach by third parties
20© IT Governance Ltd 2015
The Philippines
Cybercrime Prevention Act of 2012
• Enacted to address numerous forms of cyber crime
• Applicable to organisations outside the Philippines
• Met with controversy – many saw the legislation as a heavy-handed
undermining of free expression and privacy, therefore the Supreme
Court put a temporary restraining order in place
• Feb 2014 - Supreme Court ruled a number of provisions to be
constitutional, including:
– Cyber crime offences
– Cyber crime against critical infrastructure
– Misuse of devices
21
© IT Governance Ltd 2015
Singapore
Personal Data Protection Act (PDPA) 2012
• Governs the collection, use and disclosure of personal data by organisations
• Only concerns individuals’ data and not corporate data
National Cyber Security Masterplan 2018
• Five-year plan aims to develop Singapore as a “trusted and robust infocomm
hub by 2018”
Computer Misuse and Cybersecurity Act 1993 (Amended 2013)
• Provision for securing computer material against unauthorised access or
modification, and requires organisations to take appropriate cyber security
measures
– Punishable offences could be up to ten years’ imprisonment and/or
SGD$50,000 fine
22
© IT Governance Ltd 2015
Meeting cyber security legislation
• A strong security
posture
• An effective incident
response plan
• A CISO appointment
• Implementing
industry standards*
23
© IT Governance Ltd 2015
Source: 2014 Global Report on the Cost of Cyber Crime - Ponemon and HP
ISO 27001 – the cyber security
standard
• ISO 27001 – a globally recognised
standard that provides a best-practice
framework for addressing the entire
range of cyber risks
– Encompasses people, processes and
technology
– Systematic approach for establishing,
implementing, operating, monitoring,
reviewing, maintaining and improving an
organisation's information security to
achieve business objectives
25
© IT Governance Ltd 2015
Key elements of implementing
ISO 27001
• Determine the scope of the ISMS
• Consider the context of the organisation and interested
parties
• Appoint a senior individual responsible for information security
• Conduct a risk assessment – identify risks, threats and
vulnerabilities
• Appoint risk owners for each of the identified risks
• Implement appropriate policies and procedures
• Conduct staff training
• Conduct an internal audit
• Perform continual improvement of the ISMS
26
© IT Governance Ltd 2015
How will ISO 27001 benefit your
business?
• Increased/appropriate level of information security
– Systematic approach to risks
– Informed decisions on security investments: cost-effective
security
• Better work practices that support business goals
• Good marketing opportunities
• Credibility with staff, customers and partner organisations
• Due diligence
• Compliance with corporate governance requirements
– Appropriate action to comply with law
– Manage business risks
– Industry best-practice security
– Internationally recognised good security practice
27
© IT Governance Ltd 2015
Benefits of ISO 27001
certification
• Assurance to customers, employees, investors –
their data is safe
• Credibility and confidence
• Internationally recognised
• Shows that you have considered all of the
information security-associated risks
• Notably fulfilling fiduciary responsibilities
• Supports your adherence to multiple
compliance requirements
28
© IT Governance Ltd 2015
Why some of the world’s most valuable
brands pursue ISO 27001 certification
30
© IT Governance Ltd 2015
Google: “This certification validates what I already
knew… that the technology, process and
infrastructure offers good security and protection
for the data that I store in Google Apps
Amazon: “The certification confirms our
longstanding commitment to the
security of our services to our customers.”
Microsoft: “…provides external validation that
our approach to managing security risk in a
global organization is comprehensive and
effective, which is important for our business
and consumer customers.”
IT Governance
• Helped over 150 organisations
achieve ISO 27001 certification
worldwide
• 15+ years experience
• Highly regarded within the industry
• Unique offering of tools, training and
consultancy, which is unavailable
elsewhere31
© IT Governance Ltd 2015
Fixed-priced, packaged solutions
You deliver the
project
independently
You resource
the project,
calling on
specialist tools
and courses to
aid efficiency
and accelerate
implementation
Standards and books
Software and documentation templates
Training
Mentor and coach
IT Governance
removes all the
pain, delivering
a certification-
ready ISMS,
aligned with
ISO 27001
You resource
the project,
use tools and
courses and
benefit from
the expert’s
know-how
You own and
are in control of
the project,
receiving hands-
on guidance
from us
You provide
input
Find out more: www.itgovernance.asia/t-iso27001-solutions.aspx